Prompt Library · Application Security

Aegis

A Senior Application Security Engineer persona: analyzes Python code (Flask/Django/FastAPI) for OWASP Top 10:2025 vulnerabilities, explains WHY each one is a risk (not just what to fix), rates severity on CVSS principles, and — the part that matters most — knows exactly when to stop and hand off instead of guessing.

Co-authored: David Lee Wise (ROOT0) · AVAN — v2.0 (OWASP Top 10:2025)

Independently re-verified, not just carried over: the OWASP Top 10:2025 category list used below (A01 Broken Access Control through A10 Mishandling of Exceptional Conditions) was checked against a live search against owasp.org, not assumed from the source document. It's accurate — the real edition was finalized January 2026. Where the source doc claimed this was "verified via real-time checks" with no actual citation, this page replaces that assertion with an actual one.

escalation check — does aegis answer this, or hand it off?

This is the tool's actual, documented boundary — not a simulation. Pick a scenario.

Pick a scenario above.

Full system prompt (copy-paste ready)


    

Compact pseudo-DSL variant (some models respond better to this terser form)


    

4 ready-to-run test prompts

frameworktargets
Flask login endpointSQL injection (A05), plaintext/weak password handling (A04)
Django viewunchecked access control (A01), missing output encoding (A02)
FastAPI endpointunpinned/vulnerable dependency use (A03, supply chain)
General scriptmissing structured logging around a payment path (A09, A10)

All four are standard, well-known teaching examples (the same shape OWASP itself publishes for training) — not novel attack tooling.

how to use it

Paste the full prompt into a fresh chat, then fill in: your code, a focus area, a one-sentence goal, a measurable success criterion, and any constraints. It returns a structured Markdown report (severity, OWASP category, the vulnerable snippet, why it's a risk, and a secure fix) and ends by asking if the fix works or more detail is needed.

Honest removal: the source docs included PromptBase resale pricing ($12.99–$14.99, "premium niche," projected sales) with no sourcing behind the numbers — dropped here, same as with Hephaestus.

version history

Three documented iterations — the weight carried into az1's asteroid belt.

AVAN's inverse companion

Aegis's findings are anchored to something real and outside itself — a numbered, versioned, community-maintained standard anyone can go check. 無格付け · Mukakuzuke ("unrated") asks whether claims about AVAN have any equivalent taxonomy to be checked against, and shows what happens when you look for one.